Smart Grid News

The need for regulators to enforce cyber security measures

Grid modernization projects are fully underway across the country, which is driving a need for increased cyber security to ensure resiliency, reliability and safety surrounding America's electricity distribution system.

Already, critical infrastructure has been threatened by a number of vulnerabilities, including Stuxnet, Aurora, RuggedCom and other hacks into the grid. These attacks, as well as the fact that they will happen again, are driving state energy regulators to ramp up enforcement of cyber security standards, Smart Grid News reports.

So far, smart grid security has been addressed best by the federal regulator the North American Electric Reliability Corporation (NERC), which has drafted several requirements for critical infrastructure protection (CIP). These regulations have led many utilities to adopt software and programs that ensure they are compliant, but even these NERC CIP measures are not all-encompassing for total smart grid protection, says Elizaveta Malashenko, leader of smart grid work at the California Public Utilities Commission (CPUC).

"First, NERC-CIP primarily covers only generation and transmission assets that qualify as 'critical,'" she wrote in Smart Grid News. "Estimates suggest that 80-90 percent of grid assets are outside NERC-CIP’s scope. Second, NERC-CIP is primarily compliance-based. Compliance is important, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon."

Malashenko asserts that now is the time for state regulators to step in to play a larger role in cyber security. Already, more regulators are seeing federal regulations as inefficient ways of keeping tabs on cyber security. As more grid modernization projects unfold, they will be increasingly installed on the distribution grid, which currently lies outside the jurisdiction of NERC.

According to the media outlet, utilities typically perform minimum compliance measures, and while this is sufficient from a business standpoint, it still leaves many gaps in cyber security that could be exploited in a number of ways. Also, because no system has proven to be 100 percent effective, utilities are at times reluctant to invest heavily in cyber security. This will put the burden on state regulators to encourage utilities to beef up security across their entire enterprise.

SUBNET products were designed to promote strong cyber security in addition to compliance. By working with Microsoft, SUBNET delivers regular patches to software users, taking a proactive approach to mitigating the risks of serious cyber security threats.